Children

Information Commissioner’s Office, “Guide to the GDPR”, retrieved on 9th May 2018, licensed under the Open Government Licence.

At a glance

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind.

Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data.

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval).

For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service.

Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.

You should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them.

You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.

An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.

Checklists

All automated individual decision-making and profiling

General

We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.

We design our processing with children in mind from the outset, and use a data protection by design and by default approach.

We make sure that our processing is fair and complies with the data protection principles.

As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.

If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.

As a matter of good practice, we consult with children as appropriate when designing our processing.

Bases for processing a child’s personal data

When relying on consent, we make sure that the child understands what they are consenting to, and we do not exploit any imbalance in power in the relationship between us.

When relying on ‘necessary for the performance of a contract’, we consider the child’s competence to understand what they are agreeing to, and to enter into a contract.

When relying upon ‘legitimate interests’, we take responsibility for identifying the risks and consequences of the processing, and put age appropriate safeguards in place.

Offering an information Society Service (ISS) directly to a child, on the basis of consent

If we decide not to offer our ISS (online service) directly to children, then we mitigate the risk of them gaining access, using measures that are proportionate to the risks inherent in the processing.

When offering ISS to UK children on the basis of consent, we make reasonable efforts (taking into account the available technology and the risks inherent in the processing) to ensure that anyone who provides their own consent is at least 13 years old.

When offering ISS to UK children on the basis of consent, we obtain parental consent to the processing for children who are under the age of 13, and make reasonable efforts (taking into account the available technology and risks inherent in the processing) to verify that the person providing consent holds parental responsibility for the child.

When targeting wider European markets we comply with the age limits applicable in each Member state.

We regularly review available age verification and parental responsibility verification mechanisms to ensure we are using appropriate current technology to reduce risk in the processing of children’s personal data.

We don’t seek parental consent when offering online preventive or counselling services to a child.

Marketing

When considering marketing children we take into account their reduced ability to recognise and critically assess the purposes behind the processing and the potential consequences of providing their personal data.

We take into account sector specific guidance on marketing, such as that issued by the Advertising Standards Authority, to make sure that children’s personal data is not used in a way that might lead to their exploitation.

We stop processing a child’s personal data for the purposes of direct marketing if they ask us to.

We comply with the direct marketing requirements of the Privacy and Electronic Communications Regulations (PECR).

Solely automated decision making (including profiling)

We don’t usually use children’s personal data to make solely automated decisions about them if these will have a legal, or similarly significant effect upon them.

If we do use children’s personal data to make such decisions then we make sure that one of the exceptions in Article 22(2) applies and that suitable, child appropriate, measures are in place to safeguard the child’s rights, freedoms and legitimate interests.

In the context of behavioural advertising, when deciding whether a solely automated decision has a similarly significant effect upon a child, we take into account: the choices and behaviours that we are seeking to influence; the way in which these might affect the child; and the child’s increased vulnerability to this form of advertising; using wider evidence on these matters to support our assessment.

We stop any profiling of a child that is related to direct marketing if they ask us to.

Privacy notices

Our privacy notices are clear, and written in plain, age-appropriate language.

We explain to children why we require the personal data we have asked for, and what we will do with it, in a way which they can understand.

As a matter of good practice, we explain the risks inherent in the processing, and how we intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.

We tell children what rights they have over their personal data in language they can understand.

As a matter of good practice, if we are relying upon parental consent then we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.

The child’s data protection rights

We design the processes by which a child can exercise their data protection rights with the child in mind, and make them easy for children to access and understand.

We allow competent children to exercise their own data protection rights.

If our original processing was based on consent provided when the individual was a child, then we comply with requests for erasure whenever we can.

We design our processes so that, as far as possible, it is as easy for a child to get their personal data erased as it was for them to provide it in the first place.

In brief

If you rely on consent as your lawful basis for processing personal data when offering an ISS directly to children, only children aged 13 or over are able provide their own consent. You may therefore need to verify that anyone giving their own consent in these circumstances is old enough to do so.

For children under this age you need to get consent from whoever holds parental responsibility for them – unless the ISS you offer is an online preventive or counselling service.

You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.

Children merit specific protection when you are collecting their personal data and using it for marketing purposes or creating personality or user profiles.

You should not usually make decisions about children based solely on automated processing if this will have a legal or similarly significant effect on them. The circumstances in which the GDPR allows you to make such decisions are limited and only apply if you have suitable measures to protect the interests of the child in place.

You must write clear and age-appropriate privacy notices for children.

The right to have personal data erased is particularly relevant when the individual gave their consent to processing when they were a child.

As with adults, you need to have a lawful basis for processing a child’s personal data and you need to decide what that basis is before you start processing.

You can use any of the lawful bases for processing set out in the GDPR when processing children’s personal data. But for some bases there are additional things you need to think about when your data subject is a child.

If you wish to rely upon consent as your lawful basis for processing, then you need to ensure that the child can understand what they are consenting to, otherwise the consent is not ‘informed’ and therefore invalid. There are also some additional rules for online consent.

If you wish to rely upon ‘performance of a contract’ as your lawful basis for processing, then you must consider the child’s competence to agree to the contract and to understand the implications of this processing.

If you wish to rely upon legitimate interests as your lawful basis for processing you must balance your own (or a third party’s) legitimate interests in processing the personal data against the interests and fundamental rights and freedoms of the child. This involves a judgement as to the nature and purpose of the processing and the potential risks it poses to children. It also requires you to take appropriate measures to safeguard against those risks.

Consent is not the only basis for processing children’s personal data in the context of an ISS.

However, if you do rely upon consent as your lawful basis for processing personal data when offering an ISS directly to children, in the UK only children aged 13 or over can consent for themselves. (This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval). You therefore need to make reasonable efforts to verify that anyone giving their own consent in this context is old enough to do so.

For children under this age you need to get consent from whoever holds parental responsibility for them – unless the ISS you offer is an online preventive or counselling service.

You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.

You should regularly review the steps you are taking to protect children’s personal data and consider whether you are able to implement more effective verification mechanisms when obtaining consent for processing.

In most circumstances you should not make decisions about children that are based solely on automated processing, (including profiling) if these have a legal effect on the child, or similarly significantly affect them.

The GDPR gives children the right not to be subject to this type of decision. Although there are exceptions to this right, they only apply if suitable measures are in place to protect the rights, freedoms and legitimate interests of the child.

If you profile children then you must provide them with clear information about what you are doing with their personal data. You should not exploit any lack of understanding or vulnerability.

You should generally avoid profiling children for marketing purposes. You must respect a child’s absolute right to object to profiling that is related to direct marketing, and stop doing this if they ask you to.

It is possible for behavioural advertising to ‘similarly significantly affect’ a child. It depends on the nature of the choices and behaviour it seeks to influence.

You must provide children with the same information about what you do with their personal data as you give adults. It is good practice to also explain the risks inherent in the processing and the safeguards you have put in place.

You should write in a concise, clear and plain style for any information you are directing to children. It should be age-appropriate and presented in a way that appeals to a young audience.

If you are relying upon parental consent as your lawful basis for processing it is good practice to provide separate privacy notices aimed at both the child and the responsible adult.

If you provide an ISS and children younger than your target age range are likely to try and access it then it is good practice to explain any age limit to them in language they can understand.

Children have the same rights as adults over their personal data and can exercise their own rights as long as they are competent to do so. Where a child is not considered to be competent, an adult with parental responsibility may exercise the child’s data protection rights on their behalf.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: